cd082a1713958e62f13e4745780bdcbfeb17a58bd2bb0cd8162b827ec8186e44

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe
Size

117KB
MD5

6b2ab90d3cefd2ce1e62bba0bbda1e10
SHA1

c698b403dce95c385bd9ff035f69eba55ee2dea2
SHA256

cd082a1713958e62f13e4745780bdcbfeb17a58bd2bb0cd8162b827ec8186e44
SHA512

729f7f242cddeceef78319d13a6419cc0954a16463271f3a66fa4a26f4578b5186195b56e191dad2f9b385952b29f41aed6fc13cc6b8e7d491fdb903e49c4110
SSDEEP

1536:XKzCiCoYhNihhpXr8+t+ekPHTdXvLDVFsf9gFFfUN1Avhw6JCM:XKeiCoYrUDI+cPzdX/Yf9gFFfUrQlM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Gqikdn32.exeIiibkn32.exeLaopdgcg.exeMpkbebbf.exeMjeddggd.exeMcpebmkb.exeGcggpj32.exeGqkhjn32.exeJkdnpo32.exeKknafn32.exeMcnhmm32.exeHmdedo32.exeIidipnal.exeLcdegnep.exeMpaifalo.exeJdhine32.exeJjbako32.exeMdpalp32.exeHabnjm32.exeIdofhfmm.exeJjpeepnb.exeNnjbke32.exeLklnhlfb.exeLcgblncm.exeMpolqa32.exeNjljefql.exeKgphpo32.exeLnepih32.exeGfnnlffc.exeIbojncfj.exeIfmcdblq.exeGjapmdid.exeNcldnkae.exeIdacmfkj.exeKajfig32.exeGbenqg32.exeGfhqbe32.exeJdmcidam.exeJmpngk32.exeMaaepd32.exeGbcakg32.exeGmhfhp32.exeGcidfi32.exeHpgkkioa.exeKibnhjgj.exeGjocgdkg.exeIcgqggce.exeMajopeii.exeIiffen32.exeJaedgjjd.exeKkihknfg.exeMjjmog32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe

Executes dropped EXE 64 IoCs

Processes:

Fmficqpc.exeFqaeco32.exeGbcakg32.exeGfnnlffc.exeGmhfhp32.exeGogbdl32.exeGbenqg32.exeGjlfbd32.exeGqfooodg.exeGbgkfg32.exeGjocgdkg.exeGqikdn32.exeGcggpj32.exeGjapmdid.exeGqkhjn32.exeGcidfi32.exeGfhqbe32.exeGifmnpnl.exeHclakimb.exeHfjmgdlf.exeHmdedo32.exeHcnnaikp.exeHikfip32.exeHabnjm32.exeHjjbcbqj.exeHpgkkioa.exeHccglh32.exeHjmoibog.exeHmmhjm32.exeIcgqggce.exeIidipnal.exeIpnalhii.exeIiffen32.exeIannfk32.exeIbojncfj.exeIjfboafl.exeIiibkn32.exeIapjlk32.exeIdofhfmm.exeIfmcdblq.exeIdacmfkj.exeIjkljp32.exeIinlemia.exeJaedgjjd.exeJbfpobpb.exeJjmhppqd.exeJmkdlkph.exeJpjqhgol.exeJjpeepnb.exeJmnaakne.exeJplmmfmi.exeJdhine32.exeJjbako32.exeJmpngk32.exeJdjfcecp.exeJkdnpo32.exeJmbklj32.exeJdmcidam.exeJkfkfohj.exeJiikak32.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKpepcedo.exe

pid	process
1624	Fmficqpc.exe
4748	Fqaeco32.exe
1292	Gbcakg32.exe
1888	Gfnnlffc.exe
1644	Gmhfhp32.exe
5036	Gogbdl32.exe
2260	Gbenqg32.exe
748	Gjlfbd32.exe
2316	Gqfooodg.exe
3884	Gbgkfg32.exe
1308	Gjocgdkg.exe
4688	Gqikdn32.exe
1248	Gcggpj32.exe
4656	Gjapmdid.exe
3296	Gqkhjn32.exe
3312	Gcidfi32.exe
3148	Gfhqbe32.exe
4936	Gifmnpnl.exe
2676	Hclakimb.exe
4888	Hfjmgdlf.exe
4504	Hmdedo32.exe
2328	Hcnnaikp.exe
1560	Hikfip32.exe
2576	Habnjm32.exe
4744	Hjjbcbqj.exe
3824	Hpgkkioa.exe
1768	Hccglh32.exe
4144	Hjmoibog.exe
4068	Hmmhjm32.exe
2616	Icgqggce.exe
432	Iidipnal.exe
3888	Ipnalhii.exe
1524	Iiffen32.exe
2964	Iannfk32.exe
3220	Ibojncfj.exe
2776	Ijfboafl.exe
3792	Iiibkn32.exe
1388	Iapjlk32.exe
752	Idofhfmm.exe
2532	Ifmcdblq.exe
2688	Idacmfkj.exe
1040	Ijkljp32.exe
3100	Iinlemia.exe
2064	Jaedgjjd.exe
2876	Jbfpobpb.exe
4608	Jjmhppqd.exe
3872	Jmkdlkph.exe
860	Jpjqhgol.exe
2088	Jjpeepnb.exe
688	Jmnaakne.exe
3880	Jplmmfmi.exe
4228	Jdhine32.exe
2268	Jjbako32.exe
4860	Jmpngk32.exe
3572	Jdjfcecp.exe
3380	Jkdnpo32.exe
3356	Jmbklj32.exe
4464	Jdmcidam.exe
5044	Jkfkfohj.exe
1020	Jiikak32.exe
4048	Kpccnefa.exe
2860	Kbapjafe.exe
1948	Kkihknfg.exe
2392	Kpepcedo.exe

Drops file in System32 directory 64 IoCs

Processes:

Kgphpo32.exeNjljefql.exeNgedij32.exeIidipnal.exeJpjqhgol.exeKdaldd32.exeJmkdlkph.exeMpolqa32.exeNgpjnkpf.exeNbhkac32.exeNcldnkae.exeGjapmdid.exeKaemnhla.exeMjeddggd.exeNbkhfc32.exeGogbdl32.exeJmnaakne.exeMncmjfmk.exeIannfk32.exeIbojncfj.exeMgghhlhq.exeMajopeii.exeKajfig32.exeJdmcidam.exeNnjbke32.exeJkfkfohj.exeJjmhppqd.exeLdmlpbbj.exeMahbje32.exeHfjmgdlf.exeLnepih32.exeMkepnjng.exeHmdedo32.exeHccglh32.exeKpjjod32.exeIinlemia.exeMcpebmkb.exeGmhfhp32.exeGqikdn32.exeJbfpobpb.exeHjmoibog.exeIfmcdblq.exeKbapjafe.exeLphfpbdi.exeMaohkd32.exeLcgblncm.exeHikfip32.exeMdfofakp.exeJdjfcecp.exeKdcijcke.exeNceonl32.exeGbgkfg32.exeKpccnefa.exeMpaifalo.exeGfnnlffc.exeKpepcedo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5840 6056 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5840	6056	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Ncldnkae.exeIdacmfkj.exeJdhine32.exeNbhkac32.exe6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exeMkepnjng.exeLmccchkn.exeLnepih32.exeNdidbn32.exeHclakimb.exeIdofhfmm.exeLilanioo.exeNceonl32.exeGjlfbd32.exeNgpjnkpf.exeFqaeco32.exeGmhfhp32.exeIfmcdblq.exeJdjfcecp.exeGbgkfg32.exeIpnalhii.exeIjfboafl.exeJaedgjjd.exeMjeddggd.exeKdaldd32.exeIbojncfj.exeIiibkn32.exeLaopdgcg.exeLdmlpbbj.exeKpepcedo.exeNnjbke32.exeJjmhppqd.exeKaemnhla.exeLjnnch32.exeMdpalp32.exeFmficqpc.exeIidipnal.exeKpccnefa.exeKckbqpnj.exeMcnhmm32.exeJjbako32.exeMdiklqhm.exeNjljefql.exeIjkljp32.exeHjmoibog.exeMajopeii.exeNkncdifl.exeKcifkp32.exeMcbahlip.exeMkgmcjld.exeNdghmo32.exeGbcakg32.exeJiikak32.exeGqkhjn32.exeJkfkfohj.exeMdfofakp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exeFmficqpc.exeFqaeco32.exeGbcakg32.exeGfnnlffc.exeGmhfhp32.exeGogbdl32.exeGbenqg32.exeGjlfbd32.exeGqfooodg.exeGbgkfg32.exeGjocgdkg.exeGqikdn32.exeGcggpj32.exeGjapmdid.exeGqkhjn32.exeGcidfi32.exeGfhqbe32.exeGifmnpnl.exeHclakimb.exeHfjmgdlf.exeHmdedo32.exe

description	pid	process	target process
PID 940 wrote to memory of 1624	940	6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe	Fmficqpc.exe
PID 940 wrote to memory of 1624	940	6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe	Fmficqpc.exe
PID 940 wrote to memory of 1624	940	6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe	Fmficqpc.exe
PID 1624 wrote to memory of 4748	1624	Fmficqpc.exe	Fqaeco32.exe
PID 1624 wrote to memory of 4748	1624	Fmficqpc.exe	Fqaeco32.exe
PID 1624 wrote to memory of 4748	1624	Fmficqpc.exe	Fqaeco32.exe
PID 4748 wrote to memory of 1292	4748	Fqaeco32.exe	Gbcakg32.exe
PID 4748 wrote to memory of 1292	4748	Fqaeco32.exe	Gbcakg32.exe
PID 4748 wrote to memory of 1292	4748	Fqaeco32.exe	Gbcakg32.exe
PID 1292 wrote to memory of 1888	1292	Gbcakg32.exe	Gfnnlffc.exe
PID 1292 wrote to memory of 1888	1292	Gbcakg32.exe	Gfnnlffc.exe
PID 1292 wrote to memory of 1888	1292	Gbcakg32.exe	Gfnnlffc.exe
PID 1888 wrote to memory of 1644	1888	Gfnnlffc.exe	Gmhfhp32.exe
PID 1888 wrote to memory of 1644	1888	Gfnnlffc.exe	Gmhfhp32.exe
PID 1888 wrote to memory of 1644	1888	Gfnnlffc.exe	Gmhfhp32.exe
PID 1644 wrote to memory of 5036	1644	Gmhfhp32.exe	Gogbdl32.exe
PID 1644 wrote to memory of 5036	1644	Gmhfhp32.exe	Gogbdl32.exe
PID 1644 wrote to memory of 5036	1644	Gmhfhp32.exe	Gogbdl32.exe
PID 5036 wrote to memory of 2260	5036	Gogbdl32.exe	Gbenqg32.exe
PID 5036 wrote to memory of 2260	5036	Gogbdl32.exe	Gbenqg32.exe
PID 5036 wrote to memory of 2260	5036	Gogbdl32.exe	Gbenqg32.exe
PID 2260 wrote to memory of 748	2260	Gbenqg32.exe	Gjlfbd32.exe
PID 2260 wrote to memory of 748	2260	Gbenqg32.exe	Gjlfbd32.exe
PID 2260 wrote to memory of 748	2260	Gbenqg32.exe	Gjlfbd32.exe
PID 748 wrote to memory of 2316	748	Gjlfbd32.exe	Gqfooodg.exe
PID 748 wrote to memory of 2316	748	Gjlfbd32.exe	Gqfooodg.exe
PID 748 wrote to memory of 2316	748	Gjlfbd32.exe	Gqfooodg.exe
PID 2316 wrote to memory of 3884	2316	Gqfooodg.exe	Gbgkfg32.exe
PID 2316 wrote to memory of 3884	2316	Gqfooodg.exe	Gbgkfg32.exe
PID 2316 wrote to memory of 3884	2316	Gqfooodg.exe	Gbgkfg32.exe
PID 3884 wrote to memory of 1308	3884	Gbgkfg32.exe	Gjocgdkg.exe
PID 3884 wrote to memory of 1308	3884	Gbgkfg32.exe	Gjocgdkg.exe
PID 3884 wrote to memory of 1308	3884	Gbgkfg32.exe	Gjocgdkg.exe
PID 1308 wrote to memory of 4688	1308	Gjocgdkg.exe	Gqikdn32.exe
PID 1308 wrote to memory of 4688	1308	Gjocgdkg.exe	Gqikdn32.exe
PID 1308 wrote to memory of 4688	1308	Gjocgdkg.exe	Gqikdn32.exe
PID 4688 wrote to memory of 1248	4688	Gqikdn32.exe	Gcggpj32.exe
PID 4688 wrote to memory of 1248	4688	Gqikdn32.exe	Gcggpj32.exe
PID 4688 wrote to memory of 1248	4688	Gqikdn32.exe	Gcggpj32.exe
PID 1248 wrote to memory of 4656	1248	Gcggpj32.exe	Gjapmdid.exe
PID 1248 wrote to memory of 4656	1248	Gcggpj32.exe	Gjapmdid.exe
PID 1248 wrote to memory of 4656	1248	Gcggpj32.exe	Gjapmdid.exe
PID 4656 wrote to memory of 3296	4656	Gjapmdid.exe	Gqkhjn32.exe
PID 4656 wrote to memory of 3296	4656	Gjapmdid.exe	Gqkhjn32.exe
PID 4656 wrote to memory of 3296	4656	Gjapmdid.exe	Gqkhjn32.exe
PID 3296 wrote to memory of 3312	3296	Gqkhjn32.exe	Gcidfi32.exe
PID 3296 wrote to memory of 3312	3296	Gqkhjn32.exe	Gcidfi32.exe
PID 3296 wrote to memory of 3312	3296	Gqkhjn32.exe	Gcidfi32.exe
PID 3312 wrote to memory of 3148	3312	Gcidfi32.exe	Gfhqbe32.exe
PID 3312 wrote to memory of 3148	3312	Gcidfi32.exe	Gfhqbe32.exe
PID 3312 wrote to memory of 3148	3312	Gcidfi32.exe	Gfhqbe32.exe
PID 3148 wrote to memory of 4936	3148	Gfhqbe32.exe	Gifmnpnl.exe
PID 3148 wrote to memory of 4936	3148	Gfhqbe32.exe	Gifmnpnl.exe
PID 3148 wrote to memory of 4936	3148	Gfhqbe32.exe	Gifmnpnl.exe
PID 4936 wrote to memory of 2676	4936	Gifmnpnl.exe	Hclakimb.exe
PID 4936 wrote to memory of 2676	4936	Gifmnpnl.exe	Hclakimb.exe
PID 4936 wrote to memory of 2676	4936	Gifmnpnl.exe	Hclakimb.exe
PID 2676 wrote to memory of 4888	2676	Hclakimb.exe	Hfjmgdlf.exe
PID 2676 wrote to memory of 4888	2676	Hclakimb.exe	Hfjmgdlf.exe
PID 2676 wrote to memory of 4888	2676	Hclakimb.exe	Hfjmgdlf.exe
PID 4888 wrote to memory of 4504	4888	Hfjmgdlf.exe	Hmdedo32.exe
PID 4888 wrote to memory of 4504	4888	Hfjmgdlf.exe	Hmdedo32.exe
PID 4888 wrote to memory of 4504	4888	Hfjmgdlf.exe	Hmdedo32.exe
PID 4504 wrote to memory of 2328	4504	Hmdedo32.exe	Hcnnaikp.exe

C:\Users\Admin\AppData\Local\Temp\6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b2ab90d3cefd2ce1e62bba0bbda1e10_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\Fmficqpc.exe
C:\Windows\system32\Fmficqpc.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Fqaeco32.exe
C:\Windows\system32\Fqaeco32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\Gfnnlffc.exe
C:\Windows\system32\Gfnnlffc.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\Gogbdl32.exe
C:\Windows\system32\Gogbdl32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\Gbenqg32.exe
C:\Windows\system32\Gbenqg32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\Gjlfbd32.exe
C:\Windows\system32\Gjlfbd32.exe
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\Gqfooodg.exe
C:\Windows\system32\Gqfooodg.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\Gbgkfg32.exe
C:\Windows\system32\Gbgkfg32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\Gjocgdkg.exe
C:\Windows\system32\Gjocgdkg.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\Gqikdn32.exe
C:\Windows\system32\Gqikdn32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\Gjapmdid.exe
C:\Windows\system32\Gjapmdid.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\Gqkhjn32.exe
C:\Windows\system32\Gqkhjn32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\Gcidfi32.exe
C:\Windows\system32\Gcidfi32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\Gfhqbe32.exe
C:\Windows\system32\Gfhqbe32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\Gifmnpnl.exe
C:\Windows\system32\Gifmnpnl.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\Hfjmgdlf.exe
C:\Windows\system32\Hfjmgdlf.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\Hcnnaikp.exe
C:\Windows\system32\Hcnnaikp.exe
23⤵
- Executes dropped EXE
PID:2328

C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\Hjjbcbqj.exe
C:\Windows\system32\Hjjbcbqj.exe
26⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWOW64\Hpgkkioa.exe
C:\Windows\system32\Hpgkkioa.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3824

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4144

C:\Windows\SysWOW64\Hmmhjm32.exe
C:\Windows\system32\Hmmhjm32.exe
30⤵
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616

C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432

C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:3888

C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964

C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3220

C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
37⤵
- Executes dropped EXE
- Modifies registry class
PID:2776

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3792

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
39⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:752

C:\Windows\SysWOW64\Ifmcdblq.exe
C:\Windows\system32\Ifmcdblq.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2532

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2688

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:1040

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3100

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2064

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4608

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688

C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
52⤵
- Executes dropped EXE
PID:3880

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4228

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2268

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4860

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3572

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3380

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
58⤵
- Executes dropped EXE
PID:3356

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4464

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5044

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
61⤵
- Executes dropped EXE
- Modifies registry class
PID:1020

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4048

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2392

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
66⤵
- Drops file in System32 directory
- Modifies registry class
PID:4328

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4676

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
68⤵
PID:1924

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
69⤵
- Drops file in System32 directory
- Modifies registry class
PID:4252

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
70⤵
- Drops file in System32 directory
PID:1752

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
72⤵
PID:1596

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
73⤵
- Drops file in System32 directory
PID:4564

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
74⤵
- Modifies registry class
PID:880

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1360

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1316

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
77⤵
- Modifies registry class
PID:1276

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
78⤵
PID:2928

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
79⤵
PID:3164

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
80⤵
PID:4548

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
81⤵
- Modifies registry class
PID:2772

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4556

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
83⤵
- Drops file in System32 directory
- Modifies registry class
PID:396

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
84⤵
PID:1356

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3748

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
86⤵
PID:1976

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
87⤵
PID:3188

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
88⤵
- Modifies registry class
PID:628

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
89⤵
PID:4724

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:728

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
92⤵
- Modifies registry class
PID:5164

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
93⤵
- Drops file in System32 directory
PID:5228

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5272

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
95⤵
PID:5336

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
96⤵
- Drops file in System32 directory
PID:5424

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5520

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
99⤵
PID:5576

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
100⤵
PID:5632

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
101⤵
PID:5692

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5752

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
103⤵
PID:5796

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
104⤵
- Modifies registry class
PID:5848

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
105⤵
- Drops file in System32 directory
PID:5896

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5940

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5992

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6044

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
109⤵
- Drops file in System32 directory
- Modifies registry class
PID:6088

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
110⤵
- Drops file in System32 directory
PID:6128

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
111⤵
- Drops file in System32 directory
PID:5148

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5204

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5320

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
114⤵
- Modifies registry class
PID:5412

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5688

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
118⤵
- Modifies registry class
PID:5780

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5864

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
120⤵
PID:5928

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
121⤵
PID:5988

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
122⤵
- Drops file in System32 directory
- Modifies registry class
PID:6076

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
123⤵
- Drops file in System32 directory
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5328

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
125⤵
PID:5460

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
126⤵
- Modifies registry class
PID:5612

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
127⤵
- Drops file in System32 directory
- Modifies registry class
PID:5764

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
128⤵
- Modifies registry class
PID:5892

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
129⤵
- Drops file in System32 directory
PID:6032

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
130⤵
PID:6124

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
131⤵
- Drops file in System32 directory
PID:5404

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
132⤵
- Modifies registry class
PID:5556

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5804

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
134⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 240
135⤵
- Program crash
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6056 -ip 6056
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
117KB

MD5
badac5ce17862e8ffd42706d0853de97

SHA1
2511a1160a427003724cb40e2b34c0d950cb067b

SHA256
e8e81181ed252aeb1d539ae2a056b34d29c97622ae1d2266cc4def687b17ee50

SHA512
3c11d74e13ed2600cf1a403b0a1744712ff94ab1b8e619b6efcbeb08bea4d811c4699dabfe25b21da39ab749913bd88438f8e1d3d62f3fa52b3a1e2ae84812b1

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
117KB

MD5
07d7a0e6733a918bf192affb6fa748cc

SHA1
81a6f953fc802a3fbdd6c092c751186b824566e2

SHA256
fa8939c5e6e24f47f5a044bda8f41596d5d60cae76cdf576e475f24b2ffee098

SHA512
be9df3565f8191ef07fe98cbd2505abdbe403c9b2b06509197126212f9d04048cb6e94d0a36193d810ac42d4d38094e84c94d3a306193e270d4756fb9d5ff869

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
117KB

MD5
70d18deec342ae1f98777a33770d22cc

SHA1
b5a1fe331fbcf8e8f095b4728e5b94b9ac78063c

SHA256
6efa099c40d2873b2e81b32d06287bd13bec85db393be1bcb1dacff0802b22c5

SHA512
e3b457cf01f2b8deb13cb5b5f88868b1596c4d3020cea6bbcc85dfa37d5e6c94c96bc7e96ee9abee35084aea9a11da7bd4a1cbebf39ff6323353ca6fb5db46b9

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
117KB

MD5
0bd43bc203f444a31bc8cd3da28354e1

SHA1
3c18ed85190c8542388ae010f3d7c7bba5740821

SHA256
d5a570eff185ea8d08e834c6c5446cd0f8e0a3b2b6ddac78c953e297d177a3ac

SHA512
07b8345a2966403e0c81b21284d704e15f091cc1d086298dd44d392ff642112911dd1576eb69adcfe7b4b0ca443174cee748bcda7d91476100d68de8cc2beea5

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
117KB

MD5
27270c6093cf4779e3f7d74ec2434a06

SHA1
815bd712776ecd8445c37733935889d06e81a140

SHA256
2276c92816bd00dddfd8ddbc104028f5172375214451b25417728dbc85b29a0d

SHA512
69575c038d2f2c84e7d793a33b5094a6e212c809744d7f41a83d68356148f0ae8b5ae4052a2d9e30b424512c4ba504a2d3908938fd55b55ea4fd43a17018b4eb

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
117KB

MD5
b3243cc93753f07e8d13325a00989666

SHA1
112669c0209fc8ec7b47299d5074135bb649f7c0

SHA256
2826f85c2de9416a8de6ce4c5f43dd3922c607dd7dd76f6b901afb58044fbadb

SHA512
1841b174ba8d579e6c866f043c9b13002426c17ac5b12949c376ba3592499cc80a8255caac17bd0b54ce20a8a3998ffb0aaf991bc921e44ee7356c55018f103a

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
117KB

MD5
775c7c59f0cfbc85d392e01e89169c00

SHA1
a0d9c1410242a2f3fceb933d69dece68c281174f

SHA256
80a883ea0f2fc52e9ed523064d96f5135402b29b8bfda74233fae908ee82d105

SHA512
46e566d3bd4710437b5ec90295ef58468602081d05a9b0c8b5781608d1831259b9a06df780307fa821ac887f35c84161b9dbaaab37f2eea87f5adf7bd2bdfa83

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
117KB

MD5
0aa500de496a4dc3d0189b632c41fb2e

SHA1
72521065dade41475cad7ca83e33f1332e3b32e4

SHA256
52c7a92ff5b1271e2b32158938c65baa7735a5fece1697fceb995b77b7155fce

SHA512
c1aa0f8b2b9cc3320cf1726783b5c1ea2833829e95ac4938e2a0c76ff6a3456378be673cfe728ebd3299c407483ef74b089d3c29aa6cc58c3b20bd30d762f26a

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
117KB

MD5
43b79392b40fe6cd81ef949b967ca942

SHA1
9d635ed28b4e5e27d246ae21b82db8e2733e2ff7

SHA256
0f1b8f34afaea14284e1b6e798ed6f51c48e7543f84afc69db970699ab7fd39f

SHA512
33a47bdb3beff4b24431aa388f960bfaafaa7636b7be25931c7dcdd1d6b595ef515f5fc433cf647dab959ceb8d639bafc4c6a061e3d3147712113234738126ea

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
117KB

MD5
7c6c4f805578cb3cd7ba58d5d5fd2c92

SHA1
098b69a1a4697158dc619b2767c7aa201d6f5448

SHA256
52cd91808b8f046680421d26d7a413a0b5a8e7129e352f73c01b54617a3e5546

SHA512
256f3b8efa3134f4a74b11b9b59a3fddf29633812f67b9f7dd9bff229bf96c6c092700ab5f25320bda84f509148a41bf3652fb0e35edcd477f3e3d1883ab8337

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
117KB

MD5
a9a3937787999662aca2ac617abbb649

SHA1
d4a9e91b3d19bb3497bd5a5738521407f843a93d

SHA256
9297813fd9cd5794ce2fa909a70db39c59467bb1bb4f1729fa80922338048149

SHA512
b2a5be1b5820d77f0dbc18780aeae40a241c32e0add34b4398e391b28debc35d7e4fad98a824287ab9fdc5eb97b5f8ee81177996e5b9433f52ce23a6f91ea9c0

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
117KB

MD5
886dd169f98999ee981b906d8faa2d87

SHA1
0f524e85267d79097b65ce920e83ab0c43fbd633

SHA256
56e23713dfaadf818af6452e5f3384c7bf9ee2c76d7554916e5477a3ad6b1e4d

SHA512
3e74b63c57e083a5a0e079bb99cb0225be030ca6a8719fafb04eb32ed7815d75a112f7f6722cf6028ef6db9a361a3b2864bde83eb0feaddd9e7aef4970c0faae

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
117KB

MD5
e55b623ce6797f0eafd3cd2faad8272e

SHA1
64b4d8c0714a542ef22d83bdffa307899b3e46d3

SHA256
8f713ed89c0f3568af8c91f10a360c4b1998a4efca11a8781520d7e1d6a8fec6

SHA512
494b2be4a6d545cbdd42906728e31933b793fe62ce4b279756ec740683e4caf42b1c8545d2ce545001f603aadfcc94755275cccb92b80222fffa640d9cf8df8e

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
117KB

MD5
0f0f91a7ed9ca4542ad4cae74e537640

SHA1
dffcedf014a627a2c04291796e5194d39f9b5b67

SHA256
3057f19499bd54c16db1980b1cca58950bd548ca5fdcb5018538584c1088dccd

SHA512
553c83787bfe5d06077624cb31e356fdb93019a7889cb4db6cc1180ab9aa08dd49c9d3aff6c5b8d2afa1401f6488e83a4e87bd62bcb47ba651bdcb510c522357

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
117KB

MD5
51502c070485a470798adff2cc370dae

SHA1
241a04a394f6bd42f2777b5055e8b7d554d08c28

SHA256
76d8bc3557e65bd86357d1f0c5c97cc5375c5b7b7cc5d9c7ead9146953b6e6dd

SHA512
ff96cf23ca7d94fd66629dda7e8c13133ea13a46d20dd6eb7ef41f22844fdc3d5c6f57b8a17749ce5dff39a69e27c2da82759f04e3023e0313a9966e9477483a

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
117KB

MD5
2ff4749d808cbf0ce2298c8c30f6dfbd

SHA1
3e3c9617547bcd9c64404437aa7b8d2e062212ee

SHA256
6031da7b26230d8b1f388db3b6e46bc40681dd7aaa38730d19cd6873266bf08f

SHA512
b23cd1eada0355af9c4e949797ecc2cf076f75af661aabb07296f8ce5394327894fe00a70a1d15583795a2b6fa46be8f68a351a791d5fd16e4bb26954f288499

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
117KB

MD5
2c1be744ec9a313530e9065b38f457a8

SHA1
9a3c75163218ba7fc2dfda422845d10e026e186a

SHA256
e80055af569d8d7a72847af7c1160879aa548a36c54e3e09e006cfee9d2b1548

SHA512
f22ab914d793d3417c62bc34b782764bbedf6c38a8b062989cafb2dcb83e2128f9647e452db40b8e4ef0cd46602fedf7b5adc427cd4a8cb271539486a58716d2

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
117KB

MD5
3bb8d62421f13c1c3da723993b279c91

SHA1
385a5333ca3488eb53c612087844348ea603303e

SHA256
d2c6bad0b7b4582018039b3d28d590239f031a1a350859e36717525c586adf25

SHA512
f6949d47e031fe31d814f02c001c74010c9fd4fe7e15b0ad75c8fe16e7319196510d3885e3a2cda233a476d6391ac9c7dfd31744214e144ccf818f39d0420982

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
117KB

MD5
b582f89e28c2db19a8383fb7c8ab92c8

SHA1
8699d60b7c8b3e8ec09e609a44c4ae2d62db2128

SHA256
268ba2418c4b257e78ae413659d338936dd0048f0bf59414b14b6c8481756f40

SHA512
74fc05ea3aab3c29ae8a99ea573dd6f81edc0a42733b049ec58480fd558d0d78d8f945aaab8005a29ef360aad5995892ef793eabe673d252450b51d277448a44

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
117KB

MD5
b0d7921b1a3cc0d2073f5e5f520ea5c5

SHA1
24e19117e797be80b444f7638224d64c5a136b7d

SHA256
74354e1e7a606142277eec62ed06cde66d64eb6bc6d5ea36b97df2556cc5995c

SHA512
764929010c61185072f81a217f526e4ae16709d9ed650983a95358c71679e800289c3f47b8bfa6e8b57fae875ed314503288e3ca3b621e248fb3c3e2b1e11433

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
117KB

MD5
bdb4765ad7826209813f78478c5700e6

SHA1
a2137135fecb1e503a2a7b0ce0e56faca11010cc

SHA256
0f1b12eca304384c2b0aa683535443b51e1078d8f20e54ce8aa5ae3805c6af22

SHA512
114330b744a2b6e3abfe081c1fa62c8290cbdef601b01293b18815a9bafbf59325b2a6490e88d3c495335199c6a3d0f0072d211aaf7807fbc463af92cdae35e4

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
117KB

MD5
df9cc392ae2cd4167079929ab085ca75

SHA1
4ebbad61e087dfbbf493f01f70c36c53d168a47a

SHA256
63e8c0a2fdc787345d18ccb9dcb798a6879c87af9263779c4d494699dc0705e3

SHA512
87548189304578b182548f670b2b354a9c18ac2988fb90d4eca88d8a8ac736413a447822d0634d234b3452a974cbd7eeb7e2e29ec83eb517010b896d5103d15d

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
117KB

MD5
84ab314988f6f29e542ea5485042f800

SHA1
feec7873ebee878bfaec2e28e615515d39e3f83a

SHA256
107dda6ce68e1b870e8d3c268420f6e3b2b8eb0609b26cf057e330a16393882e

SHA512
35f1250574a4317911a7e8159ed8a915a97557f10c635c352f283d0ef75646c56e101e8871e009427ee74ba3cdc73dd09366a06370311f05184a9a95a71e0fc8

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
117KB

MD5
3e3af240a76344b90e66f8a728b0db5f

SHA1
43444b5fcb12a87071ce1356ffa59612ba8fdf42

SHA256
a1e8b0a8085daa5335ab9382be1abf78784e8872340e86bd81dede2e39561b74

SHA512
e25e94f7636797f7fd0be33ba36cec7b615e3e323345e1be6e9ab81b8f74e7f343fc9d86dbda163cfaf38c94c8a4ea4040711377e36dda7d7d006a0d1ebba547

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
117KB

MD5
3c1ee9b9697bd3706c9dc1fe99752a8d

SHA1
9a2eb2baff01fc0ccb33e7a2c666970d2aefe91d

SHA256
c77d60e96d1e396dea8d7ad86675e7a9470cdf18c40ecc875da5ddb33727c408

SHA512
4545c2f32386e91105ba07307f255df10f66ba9600368c72fd2af82e6f23b42760a310996b39368af948aaed5ec3a5d9727c0cc603d15e0dcb4eba25bfd2461d

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
117KB

MD5
e4c72f78bc1be92de1cf534b88897f31

SHA1
accc37d0d119605d3e670c22dd8ade92e341a372

SHA256
bcdba19f7156d388307da40b87f07f9375b14e7b7b9fd4804d3ce56f3f202cb1

SHA512
dd5ba340555463d011182fdd062ce28b40749ea81c674900d80d9f68bb2d8c8d5bd9189254238b787bd9fe76bb6b2d0063df359a118a428e5988e5425b76a398

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
117KB

MD5
0536b469fee82020114a65e8a4e049e9

SHA1
0f76801ddea76f4d40d51004dcb0b4595a83a06f

SHA256
c58f472f7844e3274dd0477d6aca765789f98e1c84c8c1dbc389c427d44201fe

SHA512
d41e608e8a01f72417cc68a1eb685eb8ed498a74c50b67b8dff147bd9a12789ab4e4dda6c4f2c0f94ef0ee47e1803a29e44442bd1c9a23e76b1921947a95bdf0

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
117KB

MD5
0ea4aeb45a616e498f1d91d8c3688542

SHA1
c9acdbbb53051a19f7f250bf1ffa92ce9ba68f27

SHA256
c5d3071d29c0049bea388f8b8e3da73a6f0cbc4289d1b848baa7c4cde1e7dc2d

SHA512
936b05fe8f95c2e14ca70e0afc27e85b69cd768c1186877417de4054196b3c1eb2cb0cfef13df9f80f46c290b2847d823774be3ba0910ffa902375f0aab2f480

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
117KB

MD5
451edaef276c05e732af565710d37d6a

SHA1
919399b9e172e36fb8f0987a8ff2b9cdc0ba534f

SHA256
6657699466e7153b9da24c167c353bf3405894b99523718623792b4fe8f631eb

SHA512
ffa50b44e35f505cac0a4f4b966424164aef388ff62254c65a1ace871cf2a928be358ac50fd72b4253dc0abf450e21a0f44004ca322326c50d33b499a3a52ef8

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
117KB

MD5
c669dacde635eaca029d50f65289973c

SHA1
763ba98a658099d3cedbb7df14a59b0cc684ab94

SHA256
af58ffa929f162d31710743654a1869573cd749363f3d0c83601e0682f7265d1

SHA512
3b846af83f0f5ffd50b84b5d7432dc0957018b9789d6ea270e14dc7b2ecaf2202399b73fd4327d149442bb25d99c71addc0a887350499ae80be469c847020ba1

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
64KB

MD5
df2b1513e79f39d0c942d1575c841cd7

SHA1
91487ae0dc968a3417977127a4e54fb630ec686e

SHA256
ecf81a33cb12a352365398fe7dcb088d10e35dbfe3f4b0165f199ad1f6974597

SHA512
beb7e5789d7b5612758491b44c6f3487e8f74b8d64e5e8b52948f363b0dead106e5221e982559587baeb34d59a600223d4d3b2f519159ac480c99d36ee2811bf

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
117KB

MD5
bc3a7203f290e91ef7419797d5e4f859

SHA1
f2bf6952a9e3c6aa6811ca628f3a7f86039aa10c

SHA256
947ce2d97a97f136737f1833a7d9eb3beb75c3e229b57aec6aac44bc2c06d287

SHA512
6dd44dd8c8b73e502a8be5965cbef38d0c3fa2f536f31e6ebcd2d440070ac696cfdc5ab315b0a2ca63faa315d92539224619c7aad8c970121060e8618f17a96e

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
117KB

MD5
46b7215be6d793664ddf6caf54b31165

SHA1
f564e606c66f312620f14add657fa6b65e3d6960

SHA256
28aa8fa1c0e7629ae57b77062787b12ff650c49f81d66e408e06ace9510bed49

SHA512
4b2ae4bccea7f4164e91bd8bc6121b76881729af8e16fcc6777baaf198eba8d3228c10f4e927004a9e14a310db8a5b6f52df891c1aeab712991d5b3cdb8eb8f1

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
117KB

MD5
785ba7117296c735a340bd1688dc82e9

SHA1
172102deae0a2df0137e2b6fcfb820da6c82b2bf

SHA256
b2ad9f990405f33d47f5044150ccac7f79aa9a40e5cba28534be4ae868192efc

SHA512
9e8a02f76f900e99d96c4e5e6b2435bd82b3243f3cdb0938e2eb21cc137f40c23e5009a87a1f57896b1dd078468e0377090eeee0c7db86c6c7ca92cd246908cb

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
117KB

MD5
c3534ba8fcc9921bdd27c704345bd12f

SHA1
537b4c5d6a634c4cebf1a9fdab538a9df66bb89a

SHA256
2fd18b84792354bc755632fd3c3688fecaf0321814c303b2bc60c65848c72ee3

SHA512
a0aea8f43daa7cc1ebbdbc3697c0168832b180c1066556368d2a85c74a1aaf556d2b88aba845ed17af8e82d6afd51128c4e81efe52c52b9856399847d439314a

Download Submit
C:\Windows\SysWOW64\Jpckhigh.dll

Filesize
7KB

MD5
9ba5d0afc9d9cb340a6617af9aaff1c3

SHA1
0aec6365f447b806409a84a710d33594bbaf6098

SHA256
af6f011f124ec327ae5b81e130550017980d1063f6fdd5d119ce04294c61ae03

SHA512
65b8b69d8b289eefe5abb68d3f3cb1eff3a897a2a1bed1ac374c0904b58dd76ab0434d148103942d3d7787bced57a179b948c5efdab7ca0c9aeef56b8cab27f1

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
117KB

MD5
e716f30d5a1d557323484bdcdb1ce80d

SHA1
d7d636dea1b958a24a112d74ba4733ae0bd2528b

SHA256
a4424406373de7532d503f1c9ff877b1166af313a06984bfe69552e09c4b791f

SHA512
73c9aa974b50969f6d138c736bdb149ab8c16e64aa08dc73839b88301baf01dafb5ea39cc9a8763d83d77bb4246ea980f7d5cf3eb3291aefe01aeefd426b8ffe

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
117KB

MD5
64511d23fe40ad4ff312a71461f99b93

SHA1
618d64100bec3b2131f82adcaac69f3e213e48d1

SHA256
bd5a2e93be8fe619a07fdb3b7b17a66340f65728ad13125c168428be714ba7bf

SHA512
d5ea9ed5164c1effdea8f382edb4271095486099c83d9f4470a1ccca32e1427b8e4aeef827953fd92e8c13b445d9b450d4631e5b4e669185ad2abbd3c847f5bd

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
117KB

MD5
153c960a4185077b14bad4e0efad591c

SHA1
d97194be65dc114c027566415d65140dea2cc0db

SHA256
bc3bd147e6f85d16429c35840578b58b5663840eb34729848090b45ffd00bf25

SHA512
e57a05754b4c5ba6cb5b6c261b8e2a4f17f00dbc6935e4b0ba4cc541488c8495d9ef8c970f9ddd5b7c56687824f477d3ff034b9562478f3497dcd31d374d2727

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
117KB

MD5
f48f318e0940a93b81f61b3960019939

SHA1
42dae90d4c6598a5a88838a4748b41b9f5c6ff7e

SHA256
8ceb5b06d90249cbaa13f1e60f2cdb739430dfa851c95828c2d7e421cd159faa

SHA512
a6591a3a029cb4010de4a78b0592d753ad50e969ba41dd0ccd5a6de78a66586cf0fcaaa0229339c65ef126745d178cfa93ed2abb7e996c6cf9cb591461a7686f

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
117KB

MD5
1967a870d68b2bf5922265b6ac606656

SHA1
7addcc284ce9315639dad686f9ac29c0c03a008a

SHA256
3a556291d385137bed0fc2898694e1ee817ee7d5065e5cee804e07415fd324b8

SHA512
580646a96d3cd7babad68834a4965a3840782058728a57253946ffbdb267e5741964f355ddceecb67c4ca8bef78c9b7b5bc8fa5cbddcf53b958d0d415a5e7322

Download Submit
memory/396-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/432-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/668-488-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/688-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-602-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/860-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-549-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1040-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1248-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1316-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-11-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-452-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-550-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3748-576-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3792-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3824-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3872-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3884-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4144-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4228-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-542-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4656-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-465-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-604-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download